Vulnerabilities let people see your Tinder swipes and photos

Think twice about using Tinder on public Wi-Fi. A security firm says the dating app uses insecure encryption that could let hackers snoop on your activity.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Tinder app on a phone.

The Tinder app has flaws that could let a hacker spy on your dating activity, says a security company.

James Martin/CNET

You might want to swipe left on Tinder's security.

Researchers at Checkmarx, which helps developers test the security of their applications, said in a blog post Tuesday that the popular dating app has a couple of vulnerabilities. The flaws could let an attacker on the same Wi-Fi network you're using see what profile photos you're looking at and whether you swipe right or left, Checkmarx said. That's because profile pictures on Tinder use HTTP instead of HTTPS, the encrypted protocol that more than half the internet uses to protect data from prying eyes.

If you're unfamiliar with Tinder, more than 50 million people use it to find dates based on photos, swiping left to reject a prospect or right to express interest. The researchers said they found these flaws in both the Android and iOS versions of Tinder. Tinder didn't respond to a request for comment.

Because Tinder's profile pictures use the insecure and outdated HTTP connection, an attacker on the same network could spy on the internet traffic and view the images. The hacker would even be able to replace the pictures without the victim knowing, Checkmarx said.

"If they want to do it maliciously, they can change the images, they could put adverts in," Erez Yalon, Checkmarx's manager of Application Security Research, told ZDNet. The second security vulnerability lets attackers see how you use Tinder, from what you've swiped on to what you've "super liked."

Though that data is encrypted, an attacker with an eye for analysis could quickly crack the code, Checkmarx said. That's because each action has a specific file size. Likes, dislikes and super likes all have a distinct length. So while the data itself is disguised, it doesn't take long to decipher what the different chunks indicate. 

Checkmarx recommended that Tinder move all its operations onto HTTPS, and that it also make the encrypted packets much less recognizable. The security firm disclosed the vulnerabilities to Tinder several months ago and they haven't been fixed yet, so Checkmarx decided to make them public.

Checkmarx's researchers said they haven't found any examples of the flaws actually being exploited by hackers, but it's still possible. You can keep yourself safe by being wary of public Wi-Fi connections. 

Checkmarx posted a proof-of-concept video last month to demonstrate how the flaws could be exploited:

It's Complicated: This is dating in the age of apps. Having fun yet?

iHate: CNET looks at how intolerance is taking over the internet.